@@ -125,29 +125,26 @@ jobs:
125125 run : |
126126 set -euo pipefail
127127
128- if [ -z "$AZURE_CLIENT_ID" ]; then
129- echo "::error::AZURE_CLIENT_ID secret is empty or not set"
130- exit 1
131- fi
132-
133- # Debug: show identity-related env vars that may confuse az CLI
134- echo "=== Identity-related env vars in GHA runner ==="
135- env | sort | grep -iE '^(IDENTITY|MSI_|ACTIONS_ID|AZURE_)' \
136- | sed 's/=.*/=<set>/' || echo "(none)"
137- echo "=== end ==="
138-
139- # Run az login in a stripped environment so that no GHA/OIDC/App-Service
140- # variables trick azure-identity into a non-IMDS code-path.
128+ # Capture values, then REMOVE AZURE_CLIENT_ID from env.
129+ # az CLI / azure-identity SDK inspects this env var and tries
130+ # EnvironmentCredential (service-principal) before ManagedIdentity,
131+ # which sends wrong query params to IMDS → "Invalid query variables".
141132 CLIENT_ID="$AZURE_CLIENT_ID"
142133 SUB_ID="$E2E_AZURE_SUBSCRIPTION_ID"
143-
144- env -i \
145- HOME="$HOME" \
146- PATH="$PATH" \
147- LANG="${LANG:-C.UTF-8}" \
148- AZURE_CONFIG_DIR="${AZURE_CONFIG_DIR:-$HOME/.azure}" \
149- bash -c "az login --identity --client-id '${CLIENT_ID}' --output none"
150-
134+ unset AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_TENANT_ID
135+
136+ # Verify IMDS is reachable
137+ echo "Checking IMDS reachability..."
138+ curl -sS -o /dev/null -w "IMDS HTTP %{http_code}\n" \
139+ -H "Metadata:true" \
140+ "http://169.254.169.254/metadata/instance?api-version=2021-02-01" \
141+ --connect-timeout 5 || {
142+ echo "::error::IMDS endpoint unreachable — not running on Azure VM?"
143+ exit 1
144+ }
145+
146+ echo "Authenticating via user-assigned managed identity..."
147+ az login --identity --client-id "$CLIENT_ID" --output none
151148 az account set --subscription "$SUB_ID"
152149 echo "Logged in. Active subscription:"
153150 az account show --query '{name:name, id:id}' -o table
0 commit comments